Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
quote:
--------------------------------------------------------------------------------
Originally posted by Obie Thank you all for your help. I do have a couple more queries.
I flushed all my rules within iptables and have the following listed as local policy
1) What does "opt" refer to?
Hmm.. No idea..
--------------------------------------------------------------------------------
Does anyone know?
quote:
--------------------------------------------------------------------------------
Allow your web traffic with --dport 80 in OUTPUT chain or --source www.etc.com in your INPUT chain.. You send to port 80, but can get the resulting reply from another port.
--------------------------------------------------------------------------------
Ok. Why do certain guides mention --dport in the INPUT chain for example when blocking Port 113.
Originally posted by Obie quote:
--------------------------------------------------------------------------------
Allow your web traffic with --dport 80 in OUTPUT chain or --source www.etc.com in your INPUT chain.. You send to port 80, but can get the resulting reply from another port.
--------------------------------------------------------------------------------
Ok. Why do certain guides mention --dport in the INPUT chain for example when blocking Port 113.
Because some of malicious program's port numbers are fixed. For example, a SubSeven lamer tries to connect port 1243 of infected computer. So you must block the traffic that has a destination of port 1243 and can do this by using a --destination-port 1243 in the INPUT chain. Also when you want to block SSH requests, again you must use --destination-port 22 for a working sshd on it's standart port. But there is no warranty for a port number in a web connection as i said before.
Originally posted by Obie When would there be any reference under "opt" or should I say when would someone match packet fragments?
For example if a TCP/IP packet is bigger than maximum packet size, it will be fragmented and only first one will contain the valid headers. So, when you want to block SSH traffic, you can LOG the first part (containing valid headers) and DROP the remaining part if there are any. An iptables rule like below will be shown in iptables -L output and DROP any fragment of TCP packet traffic:
2) Say for example I wish to allow icmp(ping) requests from my box, I would use the following command iptables -A OUTPUT -p icmp -s 192.168.0.1 -d 192.168.0.2 -j ACCEPT. This would allow me to send out icmp packets. What I am attempting to comprehend is that I also noticed I require an INPUT rule. Is this because (A) I must allow the packet to return with a reply (B) completely something else. Also would this be the case for every OUTPUT rule I create? How does it affect INPUT rules?
Iptables can track packets based on these states:
NEW, ESTABLISHED, RELATED and INVALID
So if you want to be able to ping and receive ping replys you need to allow ESTABLISHED / RELATED packets. This will cover all traffic including ftp http etc...
The rule would look something like this:
$IPTABLES -A INPUT -p ALL -d eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
For forwarding it looks like this:
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
quote:
------------------------------------------------------------------------------
Iptables can track packets based on these states:
NEW, ESTABLISHED, RELATED and INVALID
So if you want to be able to ping and receive ping replys you need to allow ESTABLISHED / RELATED packets. This will cover all traffic including ftp http etc...
The rule would look something like this:
$IPTABLES -A INPUT -p ALL -d eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
For forwarding it looks like this:
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
------------------------------------------------------------------------------
/bin/bash,
Thanks. I read the man pages of -m state --state however don't quite get what the states "NEW, ESTABLISHED, RELATED and INVALID" are for. Would you mind giving examples of each and when I would use them. I appreciate your help.
Originally posted by Obie quote:
------------------------------------------------------------------------------
Iptables can track packets based on these states:
NEW, ESTABLISHED, RELATED and INVALID
So if you want to be able to ping and receive ping replys you need to allow ESTABLISHED / RELATED packets. This will cover all traffic including ftp http etc...
The rule would look something like this:
$IPTABLES -A INPUT -p ALL -d eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
For forwarding it looks like this:
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
------------------------------------------------------------------------------
/bin/bash,
Thanks. I read the man pages of -m state --state however don't quite get what the states "NEW, ESTABLISHED, RELATED and INVALID" are for. Would you mind giving examples of each and when I would use them. I appreciate your help.
NEW: Packets which are for opening a new connection. For example if you want to block ftp, ssh connections, then block the NEW packets. ESTABLISHED: Packets which are belonging to already opened connection. For example when you connect to a host with ssh and give the command `ls' then this packets will have the status ESTABLISHED. RELATED: Packets which are going to open a new connection but coming from an ESTABLISHED connection. For example when you're connected to a host with ftp and going to begin a file transfer; then your ftp client will open a ftp-data connection and these packets will have the status RELATED. INVALID: As it's name said, they neither open a new connection nor belong to already opened one. The seem random and so they're INVALID.
Thanks. Just a few queries in relation to your reply:
"NEW: Packets which are for opening a new connection. For example if you want to block ftp, ssh connections, then block the NEW packets."
If I wish to block FTP for example why wouldn't I just block tcp port 21 rather than apply the status NEW
"ESTABLISHED: Packets which are belonging to already opened connection. For example when you connect to a host with ssh and give the command `ls' then this packets will have the status ESTABLISHED"
This I get that if a connection is successful then it has the status ESTABLISHED however how does that relate to iptables
"RELATED: Packets which are going to open a new connection but coming from an ESTABLISHED connection. For example when you're connected to a host with ftp and going to begin a file transfer; then your ftp client will open a ftp-data connection and these packets will have the status RELATED."
This I kinda get but it confuses me due to the examples above.
Originally posted by ppuru True, a default INPUT DROP with no additional rules INPUT rules to accept specific traffic will block all incoming traffic (including the traffic from your local interface lo).
You must have come across documentation mentioning different firewall philosophies, for instance mostly open , mostly closed. It is my understanding that mostly closed firewalls are the most secure. The idea behind this approach is to reject all traffic that is not explicitely allowed. It is expressed in iptables by setting default policies set to DROP.
Note that if you work on your firewall box remotely it is quite possible that you will lock yourself out a few time, ie you will block your own local network traffic. This will happen more specifically if you flush your rules while the default input policy is set to drop. The solution is to log locally on the firewall box and force the default policy to accept.
You'll also discover eventually that other tables than accept, output and forward exist, namely the nat and mangle tables. You should leave these tables policies to accept. Port forwarding is insanely difficult (impossible?) otherwise.
For the input, output and forward chains, I apply drop, accept and drop default policies resp. My rationale:
- Traffic originating from the internet is considered unsafe. Since it goes through the input and forward chain, the default policy for these chains shall be drop.
- The output chain is used by the firewall box itself. I do not have a need to restrict outgoing traffic (it is a home firewall in a safe environment), so I leave this chain default policy to accept. It makes the firewall a bit less complex too.
I just noticed something. Everytime I restart the PC or start it up, the rules I assigned to the chains within iptables are lost and all policies are set to ACCEPT despite the fact that I had changed it earlier. Is there any reason why iptables would automatically flush itself on a reboot or start up? What can I do to prevent it from doing so?
On redhat/fedora systems, you need to use the command:
iptables-save > /etc/sysconfig/iptables
This should make the changes to iptables persistant after reboots. As a side note, I'm not trying to tell you to RTFM, but most of this information is readily available in the netfilter website docs or in the iptables man page. Redhat also maintains fairly comprehensive docs on iptables/netfilter and it's Redhat-specific usage.
The file /etc/sysconfig/iptables is created the first time you use that command. After that there is a startup script at /etc/rc.d/init.d/iptables which looks for the file and if it finds the file it will load the rules from it. So you only need to run that command one time. The same thing happens if you run the command:
service iptables save
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.